Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Security Management //

Encryption

7/2/2018
08:05 AM
Joe Stanganelli
Joe Stanganelli
Joe Stanganelli
50%
50%

Seamless Cloud Security Depends on Encryption Done Right

As the enterprise shift to the cloud, there's a debate about what's best for securing data as it moves from one platform to another. A Boston startup is looking to encrypt data in motion and at rest, and this could be the next big trend.

To the InfoSec neophyte, it may seem axiomatic that data should be encrypted always and everywhere -- particularly in the age of the so-called "seamless" cloud.

And, despite sophisticated arguments to the contrary, one recently funded Boston-area startup is founded on the proposition that the neophytes are right.

Some pundits contend that accessibility tradeoffs may outweigh any security benefits when it comes to encrypting data at rest in addition to data in transit -- not least of all because compromising the right user's credentials can make encryption a moot point. (See My Cybersecurity Predictions for 2018, Part 4: Regulating Encryption.)

In an interview with Security Now, Randy Battat, CEO of email- and file-encryption startup PreVeil, countered that -- tradeoffs aside -- end-to-end encryption of data both in transit and at rest is vital to seamless cloud security because of infrastructural trends -- particularly as IT organizations evolve from on-premise to hybrid clouds, from hybrid clouds to multicloud, and from all of the above to seamless cloud environments.

Additionally, for Battat, a yet more pervasive yet often overlooked problem lies in the data lying in between -- data in use.

"There's a new generation of apps emerging to deal with this latent... legacy problem of plaintext data living on servers," Battat said. "Whether it's encrypted at rest or in transit, the problem is plaintext data being decrypted in use."

While not everyone is in agreement, these trends have some analysts thinking about encryption in the cloud era in new ways.

"Encrypting data at all times (at rest, in transit, and during processing) and during the whole data lifecycle -- from creation to destruction -- is that 'ideal world' that we all look for," Martin Whitworth, IDC's Research Director for European Data Security and Privacy, wrote to Security Now. "Unfortunately, practicalities often get in the way."

The way Battat puts it, however, security trends themselves have become impractical -- often amounting to little more than "building higher and higher walls" that do no good when intruders get in through a door or a window. While data segmentation is being increasingly deployed to achieve data-stewardship goals in seamless cloud environments, these goals may be self-defeated by the very accessibility measures used to make seamless clouds so seamless to begin with. The fundamental end-to-end security problem of email and file-sharing lies in the accessibility demands inherent to those applications' nature; they require storage indefinitely (sometimes forever).

"Certain discoveries are only unlocked when you have enough mass," Stefaan Vervaet, Western Digital's Senior Director of Strategic Alliances and Market Development, wrote in a recent blog post. "It's no surprise that some companies may decide to never delete data again."

Many enterprise IT organizations wind up with a severely poor software-development lifecycle (SDLC) -- having sensitive data hiding in all of the places where they didn't intend and don't know about, often in multiple centralized locations. (See Uber Loses Customer Data: Customers Yawn & Keep Riding.)

"Centralization creates exposure," points out PreVeil's "manifesto." "If an attack on a single server or network device yields vast quantities of valuable information, one can be sure the attackers will target this central point of failure."

While the decentralization of a seamless cloud can thereby aid information security, new problems crop up in such an environment as accessibility issues intersect with particularized processing challenges.

"If you have a hybrid [cloud], how do you effectively manage the encryption schemes (and keys) across these different environments?" Whitworth said. "[This includes] the challenges of managing keys -- not just for encryption/decryption, but also the issues of key rotation, issuance, cancellation, distribution, etc."


Boost your understanding of new cyber security approaches at Light Reading's Automating Seamless Security in Carrier & Enterprise Networks event on October 17 in Chicago! Service providers and enterprises receive FREE passes. All others can save 20% off passes using the code LR20 today!

PreVeil's end-to-end encryption (based on XSalsa20, a stream cipher) for filesharing and email purports to work similarly to applications like DropBox, with users being able to "drag and drop" to encrypt data and synchronize that encryption across all devices -- all without having to be concerned with individual keys. Battat reports that PreVeil's cloud servers, meanwhile, sees neither any of the plaintext data nor the decryption keys. Additionally, with encryption-based validation instead of whatever business logic has been stored on the servers for administrative access, an intruder who has compromised one VIP admin or executive does not necessarily get the whole pot of gold.

Ultimately, said Battat, this kind of end-to-end encryption is uniquely qualified for securing a seamless cloud environment because of the problems of trusting data exposure on strange servers -- or any servers at all.

"The hybrid environment doesn't have to be any less secure if you're using end-to-end encryption because the whole premise is that anything on the server is not trustworthy," said Battat. "End-to-end encryption does a pretty good job because the encryption is handled at the client side -- so you're not really relying on server qualities to guarantee your safety."

Related posts:

— Joe Stanganelli, principal of Beacon Hill Law, is a Boston-based attorney, corporate-communications and data-privacy consultant, writer, and speaker. Follow him on Twitter at @JoeStanganelli.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15930
PUBLISHED: 2020-09-24
An XSS issue in Joplin desktop 1.0.190 to 1.0.245 allows arbitrary code execution via a malicious HTML embed tag.
CVE-2020-19447
PUBLISHED: 2020-09-24
SQL injection exists in the jdownloads 3.2.63 component for Joomla! com_jdownloads/models/send.php via the f_marked_files_id parameter.
CVE-2020-3560
PUBLISHED: 2020-09-24
A vulnerability in Cisco Aironet Access Points (APs) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) on an affected device. The vulnerability is due to improper resource management while processing specific packets. An attacker could exploit this vulnerability by s...
CVE-2020-3509
PUBLISHED: 2020-09-24
A vulnerability in the DHCP message handler of Cisco IOS XE Software for Cisco cBR-8 Converged Broadband Routers could allow an unauthenticated, remote attacker to cause the supervisor to crash, which could result in a denial of service (DoS) condition. The vulnerability is due to insufficient error...
CVE-2020-3510
PUBLISHED: 2020-09-24
A vulnerability in the Umbrella Connector component of Cisco IOS XE Software for Cisco Catalyst 9200 Series Switches could allow an unauthenticated, remote attacker to trigger a reload, resulting in a denial of service condition on an affected device. The vulnerability is due to insufficient error h...